Windows Remote Administration Tool via Telegram (now in Python 3.7!) | Originally created by Ritiek
-
The current Remote Administration Tools in the market face 2 major problems:
- Lack of encryption.
- Require port forwarding in order to control from hundreds of miles.
-
This RAT overcomes both these issues by using the Telegram bot API.
- Fully encrypted. The data being exchanged cannot be spied upon using MITM tools.
- Telegram messenger app provides a simple way to communicate to the target without configuring port forward before hand on the target.
- Keylogger with window title log included
- Get target PC's Windows version, processor and more
- Get target PC's IP address information and approximate location on map
- Delete, Move files
- Show current directory
- Change current directory
- List current or specified directory
- Download any file from the target
- Upload local files to the target. Send your image, pdf, exe or anything as
fileto the Telegram bot - Autostart playing a video in fullscreen and no controls for a youtube video on target
- Take Screenshots
- Execute any file
- Access to microphone
- Start HTTP Proxy Server
- Freeze target's keyboard
- Schedule tasks to run at specified datetime
- Encode/Decode all local files
- Ping targets
- Update .exe -- thanks LearnerZone
- Self-Destruct RAT
- Change wallpaper from file or url
- Execute cmd shell
- Take snapshots from the webcam (if attached)
- Execute arbitrary python 3.7 on the go
- Freeze target's mouse
- [TODO] Browser (IE, Firefox,
Chrome) cookies retrieval - [TODO] Password retrieval
- [TODO] Monitor web traffic (graphically?)
- [TODO] Bandwidth monitoring (stepping stone to web traffic monitoring) - started 28/10/2018
- [TODO] Fine-tuning scripting (i.e.: if app x is opened y is executed)
- [TODO] Capture clipboard (Text, Image)
- [TODO] Hide desktop icons
- [TODO] Audio compression
- [TODO] Name server lookup (/nslookup - #19)
Thanks Dviros:
- Chrome login/password retrieval
- Display ARP table
- Get active processes and services
- Shutdown/Reboot computer
- Display DNS Cache
& More coming soon!
- Clone this repository.
- Set up a new Telegram bot talking to the
BotFather. - Copy this token and replace it in the beginning of the script.
- Run
compile.py- Generates an executable binary
- To run the script:
python RATAttack.py. - Find your bot on telegram and send some command to the bot to test it.
- To restrict the bot so that it responds only to you, note down your
chat_idfrom the console and replace it in the script and comment out the linereturn True. Don't worry, you'll know when you read the comments in the script.
- A folder named
RATAttackwill be created in your working directory containingkeylogs.txtand any files you upload to the bot.
When using the below commands; use / as a prefix. For example: /pc_info.
arp - display arp table
capture_pc - screenshot PC
cmd_exec - execute shell command
cp - copy files
cd - change current directory
delete - delete a file/folder
download - download file from target
decode_all - decode ALL encoded local files
dns - display DNS Cache
encode_all - encode ALL local files
freeze_keyboard - enable keyboard freeze
unfreeze_keyboard - disable keyboard freeze
get_chrome - Get Google Chrome's login/passwords
hear - record microphone
ip_info - via ipinfo.io
keylogs - get keylogs
ls - list contents of current or specified directory
msg_box - display message box with text
mv - move files
pc_info - PC information
ping - makes sure target is up
play - plays a youtube video
proxy - opens a proxy server
pwd - show current directory
python_exec - interpret python
reboot - reboot computer
run - run a file
schedule - schedule a command to run at specific time
self_destruct - destroy all traces
shutdown - shutdown computer
tasklist - display services and processes running
to - select targets by it's name
update - update executable
wallpaper - change wallpaper
You can copy the above to update your command list via BotFather so you don't have to type them manually.
- Run
compile.py. You can also pass--icon=<path/to/icon.ico>to use a custom icon. If you want to use UPX for compression, you can add--upx-dir [upx-3.95-win64 | upx-3.96-win32], depending on your architecture. You can skip this last option if you have UPX in yourPATHenvironment variable. - Once it is compiled successfully, find the
.exefile inC:/Python37/Scripts/dist/or the current directory, depending on where you called it from. - BEWARE! If you run the compiled
.exe, the script will move itself to startup and start with your PC to run at startup. You can return to normal by using the/self_destructoption or manually removing%APPDATA%/Portaldirectory and%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/portal.lnk.
- You can also modify the name of hidden
.exefile and location and name of the folder where the hidden.exewill hide itself. To do this; modifycompiled_nameandhide_folderrespectively. - Assign your known chat ids to beginning of RATAttack.py
- This project is still in very early stages, so you can expect some bugs. Please feel free to report them! Even better, send a pull request :)
- Any new features and ideas are most welcome! Please do submit feature requests by creating Issues
- Branch protection is enabled on
master. You must work in an alternate branch (e.g.dev) and make a PR. This is to ensure that master has a working and approved version of RvT.
A markdown file with credits: Credit file
People with PRs:
- Brendan | some stuff
- Dviros | Chrome login/password retrieval | ARP Table | Process/services | shutdown/reboot | dns cache
- LearnerZone | Support on updating the executable
Dependency owners: A load of people who turn coffee to code
Original creator:
This tool is supposed to be used only on authorized systems. Any unauthorized use of this tool without explicit permission is illegal.
The MIT License
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent